C-RAN Background

C-RAN is still in the early stages of adoption by telecom operators for controller applications as SaaS (Software as a Service) on different vendor PaaS (Platform as a Service), and IaaS (Infrastructure as a Service). National and International standards bodies such as NIST and ETSI are still also in early stages of C-RAN interface standards for these different service layers and there remains a lack of cyber security recommenda-tions and best practices to address threats.

It is reasonable to assume dependent C-RAN infrastructure will be compromised. Historically, the more important and valuable a customer or service providers intangible assets are, the more likely they will be targeted and compromised. C-RAN must now consider robust cyber security and forensics methods to address these threats.

It is important to frame C-RAN with what is taking place in the telecommunications industry. The industry is at an inflection point with tremendous opportunities but also with significant risks. The cost of adding more processing capacity, new radios and antennas – and the resultant heterogeneous network has become economically unsustainable and has led to heavy industry costs for upgrade given the massive increases in demand.

C-RAN is a proposed solution and at the heart of most operator strategies to lower these costs and bring efficiencies but is threatened by security and delivery challenges. Mobile connections are now ubiquitous, mobile social networking applications have skyrocketed, and perhaps even a greater impact will be the demand for mobile video.

"Mobile video is more than doubling between 2010 and 2015 and devouring available bandwidth – one solution to the bandwidth problem is Cloud Radio Access Networks."

- Telecommunications Industry Association, 2014

What is C-RAN

C-RAN’s promise is to add intelligence to the edge by enabling the operator to allow the network to respond dynamically and on-demand to bandwidth and service load requirements, combining collaborative radio and a real-time cloud infrastructure with centralized, general purpose processing solution(s). Many vendors are bringing this concept to market with LTE prototypes – ATT, Intel, Google, and China Mobile to name a few. Current C-RAN LTE base station architectures roughly abstract to a mixed use of custom applications running on commoditized virtualized infrastructure and running 3GPP compliant software.

Instead of dedicated hardware in the base station, workload is divided across multiple cores, while remaining compute cycles can be used to provide applications and service on the C-RAN. Purported benefits include things like comprehensive power management and more importantly – new services can be introduced through software instead of overhauling an entire infrastructure or area deployment with new hardware. RAN and core processing thereby can be consolidated on the same data center platform.

Centralized baseband processing is afforded by a pool of high capacity processing units and what the industry is referring to as real-time virtualization technology. Reliable and high-speed optical networks in turn connect centralized baseband processing pools to a now highly distributed radio network (composed of RF units and antennas). Innovations and optimizations reduce the number of base station sites and lowers CAPEX and OPEX. C-RAN promises to utilize resources more efficiently, lowering power consumption yielding higher on-demand flexibility, while offering significant TCO advantages through the consolidation of multiple workloads. Robust virtualization allows the operator to address the network capacity loads envisioned by the explosion of customer requirements (such as mobile video).

Cloud computing architecture makes this all possible, where commercial off the shelf solutions can be used in different service layers to avoid using customized hardware and software solutions from specific vendors. However, the radio network controller applications in the cloud-computing environment still require all the software and hardware layers of traditional telecom equipment. But, hardware virtualization, OS abstraction layers, and middle layers can be provided to the RAN applications through virtual service layers so that it can remain independent of underlying hardware and software components.

Here is where the ‘rubber hits the road’ for C-RAN. The integrity of all of these interactions is paramount if the operator is to have any kind of confidence in the deployment, provisioning, and automated adjustment and/or manipulation of services. Maintaining and assuring the accuracy and consistency of systems and data is as important, if not more than the availability of the system and resources across the cloud’s virtualization environment. With increased abstraction and reliance on virtualization infrastructure, applications, and API interfaces to the PaaS layer’s machine-to-machine interactions will be paramount. This is where C-RAN exploiters will likely focus their attacks.

Code, APIs, and application vulnerabilities and implementation specific flaws will plague these architectures and service layers. At Guardtime, we have never known a cloud application NOT to be exploitable – and with increased abstraction this is a nightmare scenario for operators managing C-RAN critical communications assets (not to mention their customers utilizing the mobile environment for everything from mobile banking, to social networking, to email, and video).

The complexity of these interactions, their geographically distributed characteristics, and handover of control for important RAN functions is (in our opinion) unprecedented for services in the cloud. C-RAN infrastructure is just as vulnerable to the same cloud threats, which include data breaches, data loss, account or service hijacking, insecure interfaces and APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence, and shared/mixed technology vulnerabilities.

KSI Secured C-RAN

To address these threats and the integrity of C-RAN for the operator, imagine the possibility of an ‘Attributable Network’. Attribution means that the properties of important digital assets (privacy data, customer information, etc.) and C-RAN network component software and/or firmware for assets like routers, switches, applications, virtual machines, configuration information, audit and event log systems, and associated network services can be forensically authenticated with three important properties: evidence of identity, authenticity, and time – that this unique authentication evidence is portable and can be independently verified by anyone without the reliance on cryptographic keys or credentials than can (and will) be exploited.

For API and application integrity, real-time monitoring from any baseline instantiation is now possible. KSI signatures are portable and can literally become part of data they are protecting (applications, database entries, virtualization infrastructure, configuration files, credentials, and/or responsible access, authentication, and authorization assets across the C-RAN).

With the forensic quality instrumentation and attribution afforded by KSI signatures and Guardtime solutions for C-RAN, the instant these components are tampered with is the instant you know there has been an integrity breach and that your customers and enterprise environment – your intellectual property – is at risk. This proof affords the C-RAN operator the ability to trust the provenance and integrity of any network interactions, as well as the C-RAN applications and assets they are managing and/or consuming.

Fundamentally, the signatures generated by Guardtime KSI baseline the state of the C-RAN’s virtualization, object storage, PaaS layer, and M2M infrastructure – Guardtime calls this application of it’s technology to C-RAN ‘Clean State Proof’, highlighting the authenticity, time, and identity of C-RAN critical assets. This proof information can then be sent and escrowed (aggregated) across the network enterprise or across service providers without disclosing the underlying contents of the data the signatures protect.

By collecting, analyzing, correlating and reporting this evidence operators can build a real-time integrity picture of the network and/or important C-RAN applications, APIs, firmware, M2M components, and virtual images.

With this real-time awareness regarding the integrity state of C-RAN asset components, operators seeking to protect the integrity of the services can then make forensically grounded real-time decisions in the event that the C-RAN assets are compromised - quickly identifying the cause and specific component(s) responsible for the loss of integrity.

Subsequently, with this real-time awareness, real-time incident response, real-time data-loss prevention, investigation, and/or C-RAN Continuity of Operations (resilience) is now possible to detect and react (or rollback) to any misconfiguration, network and/or component/application integrity failure.

How to Get KSI for C-RAN Platforms?

Guardtime's products and solutions can be purchased for your environ-ment following our Design, Build, Operate, and Transfer (DBOT) model.

We're always happy to discuss your concrete requirements, please register your interest.